Pacemakers, Cars, Energy Grids: The Tech That Should Not Be Hackable, Is

While laptops and Web services remain the most popular targets for cyber attacks, hackers are gradually turning to life-critical devices and systems.

Stay Connected

The death of one 35-year-old white male in San Francisco's Nob Hill neighborhood last Thursday would usually not be a news story, especially since police said no foul play was involved.

But the death in question was of Barnaby Jack, a celebrated "white hat" hacker, who used his skills to expose vulnerabilities in tech hardware and helped companies to address them. Jack, who was known for hacking medical devices, was a week away from disclosing his newest findings at a top-tier hacker conference on August 1.

While it might take about a month to determine the cause of Jack's death, it's probably unwise to buy into wild theories, even though speculation and rumors are all over the Web.

It goes without saying, however, that hacking of mission-critical devices and systems is an incredibly sensitive subject; white hat hackers provide a glimpse of what future stealth cyber warfare could look like, and they can reveal weaknesses in products and industries worth billions of dollars. They also demonstrate the human costs of unprotected technology. While a virus on a local PC could -- in the worst case -- compromise your private information or business, custom-made malware may compromise, well, your factory, or a nuclear power plant, or even cost someone their life.

Here's the brief round-up of the devices and systems that really should not be hackable... but they are.

Pacemakers and ICDs

Killing a person from 50-feet away, with a deadly electrical 830V shock through a cardiac implant? It's not Homeland; it's reality.

Last fall, Jack, speaking at the Breakpoint conference in Melbourne, showed a video demonstration of his remote attack against an implantable cardioverter-defibrillator. The hack delivered a deadly 830V blow with a distinctive sound. He was planning to reveal more details at Black Hat this year. Instead, the conference organizers decided to leave Jack's talk slot empty "to commemorate his life and work."

There are well over 3 million pacemakers and over 1.7 million implantable cardioverter-defibrillators (ICDs) in use, Jack said in the brief description of the talk he was planning to give at the Black Hat USA hacker conference this year.

Security firm IOActive, Jack's employer, earlier revealed that other types of medical devices might be hacked, too -- think insulin pumps, wirelessly programmed to deliver less or more insulin, leading to fatal results.

So yes, it is serious. In June, the FDA sent makers of medical devices a recommendation to address the vulnerabilities "that could directly impact medical devices or hospital network operations."

That said, if you are a user of the aforementioned devices, you shouldn't be gravely concerned about the vulnerabilities at the moment. But checking with the manufacturer of the medical device about the safety and the wireless security of the device might save you from some sleepless nights.

Jack's colleagues at IOActive are doing two presentations at Black Hat this week, focusing on compromising industrial facilities from 40 miles away and car hacks (see more on the latter topic below). It is not known whether or not the company will be disclosing any of Jack's findings on medical device security.

Air Traffic Control

The next-generation air traffic control system, called NextGen, will include automatic dependent surveillance-broadcast (ADS-B) technology, due to be installed on the majority of aircraft operating within the US by 2020, and even earlier in the EU.

The technology, which will ultimately replace radars, will be capable of broadcasting more accurate information about the position, altitude, velocity, and other characteristics of the each aircraft, thus improving flight safety and streamlining air traffic management.

NextGen will be even more heavily dependent on the global positioning system (GPS) signals than the current systems. But that means the system could be easily jammed with consumer devices that sells for under $100. GPS jammers, while illegal in the US, are easy to obtain online and can disrupt the normal functioning of certain cellular networks, pagers and the number of other systems.

Moreover, current air traffic control systems have been repeatedly hacked in nationwide events already, as was revealed in a report published in 2009. The FAA report showed that despite the brief outage of several ATC systems in Alaska in 2006, there were no plane crashes or any significant incidents.